Extraction Precedence

Path Finder

If you have index time extractions configured will search time extractions override them?

Tags (1)
0 Karma

Re: Extraction Precedence


No, indexing has to happen before searching. This can explain it in more detail:

What Splunk Does With Your Data

View solution in original post


Re: Extraction Precedence

Ultra Champion

Well, not entirely true - you can override the values of index-time extractions for the duration of a search (see below), but once an event is stored in an index, it cannot be altered on disk by search time operations.

* | head 5 | eval host=host . "-monkey" | eval source=source . "-crane" | eval sourcetype=sourcetype . "-blah" | table host source sourcetype

Edit: clarification